Automatically applying components based on crash stacktrace and information from OWNERS files.

If this is incorrect, please apply the Test-Predator-Wrong-Components label.

Automatically assigning owner based on suspected regression changelist https://chromium.googlesource.com/chromium/src/+/150a1839886ffde6659dbc249f942d7868096390 (Bail out of computing style for invisible elements).

If this is incorrect, please let us know why and apply the Test-Predator-Wrong-CLs label. If you aren't the correct owner for this issue, please unassign yourself as soon as possible so it can be re-triaged.

I'm pretty sure this isn't related to my change.

Unable to find actual suspect through code search and also observing no CL's under regression range, hence adding appropriate label and requesting someone from dev team to look in to this issue.

Thanks!

rakina@, reverting your change fixes the crasher.

Oops you're right, sorry. Investigating...

So somehow we ended up calling Font::PrimaryFont while the |font_fallback_list_| is null. I'm not sure when the |font_fallback_list_| is supposed to be set, and how it relates to the ComputedStyle of  invisible elements (regression happens after moving it to Element::StyleForLayoutObject https://chromium-review.googlesource.com/c/chromium/src/+/1276066)

futhark@, do you have any ideas?

StyleResolver::UpdateFont() normally sets up fonts during style resolving. StyleResolver::InitialStyleForElement does this for the initial styles. You can probably use StyleResolver::InitialStyleForElement() instead of ComputedStyle::Create() or take what you need from there.

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/5a003d5c1d58bb77e0ccccfadc7b84edad0b4839

commit 5a003d5c1d58bb77e0ccccfadc7b84edad0b4839
Author: Rakina Zata Amni <rakina@chromium.org>
Date: Thu Nov 22 06:33:03 2018

Use InitialStyleForElement for invisible elements

We previously used ComputedStyle::Create when creating ComputedStyle for
invisible elements, but the ComputedStyle made with that lacks some
setup needed for it to actually be usable correctly. Example case is
the style's font fallback list is not set, leading to some crashes.

Bug:  904791 
Change-Id: I512082af6dcf7a5076eb033a2f9a78b83020e47e
Reviewed-on: https://chromium-review.googlesource.com/c/1345952
Commit-Queue: Rakina Zata Amni <rakina@chromium.org>
Reviewed-by: Rune Lillesveen <futhark@chromium.org>
Cr-Commit-Position: refs/heads/master@{#610322}
[modify] https://crrev.com/5a003d5c1d58bb77e0ccccfadc7b84edad0b4839/third_party/blink/renderer/core/css/resolver/style_resolver.h
[modify] https://crrev.com/5a003d5c1d58bb77e0ccccfadc7b84edad0b4839/third_party/blink/renderer/core/dom/element.cc

ClusterFuzz has detected this issue as fixed in range 610320:610323.

Detailed report: https://clusterfuzz.com/testcase?key=5147540737228800

Fuzzer: inferno_twister
Job Type: linux_msan_content_shell_drt
Platform Id: linux

Crash Type: Null-dereference READ
Crash Address: 0x000000000020
Crash State:
  blink::CSSToLengthConversionData::ZoomedComputedPixels
  blink::CSSPrimitiveValue::ConvertToLength
  blink::StyleBuilderConverter::ConvertLength
  
Sanitizer: memory (MSAN)

Regressed: https://clusterfuzz.com/revisions?job=linux_msan_content_shell_drt&range=598931:598957
Fixed: https://clusterfuzz.com/revisions?job=linux_msan_content_shell_drt&range=610320:610323

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5147540737228800

See https://github.com/google/clusterfuzz-tools for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

ClusterFuzz testcase 5147540737228800 is verified as fixed, so closing issue as verified.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.